Josh Goldfarb, Fraud Solutions Architect for EMEA and APCJ at F5, on why you can’t afford to ignore a well-known and growing menace.
If a burglar wanted to gain entry to your home, they could force their way in – perhaps by picking a lock, breaking a window, or some other means. If a neighbor heard noises or saw strange activity, they might call the police. This might result in the burglar getting caught, of course.
On the other hand, the burglar could try to convince you to hand over your keys willingly. Perhaps by posing as a delivery or repair person, or inspector, or by telling a plausible story. If the burglar can get their hands on the keys, they can simply walk right in – as if they are doing so legitimately, and no one suspects a thing.
In the digital world, phishing is how burglars (cybercriminals) gain entry to your home (your critical systems and sensitive data). Successful phishing attacks provide attackers with stolen credentials that allow them to simply ‘walk into’ your business and gain access to the targets they have set their sights on.
How come phishing is so effective? Well, for starters, phishing attacks have evolved significantly in recent years. Whereas they once were primitive, full of typos, and not particularly convincing, nowadays, even experts have trouble distinguishing phishing emails from legitimate emails. Phishing sites also look remarkably like the legitimate ones they are designed to imitate. It is no wonder so many users are fooled into providing their credentials to the attackers. In other words, handing over their keys willingly.
As many businesses continue to go through a digital transformation, the use of this method of attack has greatly accelerated, and the resulting damage spreading. An increased online presence means a bigger online attack surface and risk. Attackers don’t need to devise complex schemes to force entry into businesses these days – they can merely invest in convincing unsuspecting users to hand over their valid credentials.
That said, what can businesses do to protect their online applications from security and fraud incidents?
Simply rooting out the phishing sites is not enough to combat credential theft. Attackers can create phishing sites with ease. When we take one down, another one pops up elsewhere. This can often devolve into a never-ending battle of attrition that rarely makes our online applications more secure or protects them from fraud.
Instead, if we assume that a certain percentage of our legitimate users will fall prey to phishing attacks and will have their credentials stolen, we can adapt accordingly. When we shift our perspective and take this approach, we realise that identifying and mitigating security and fraud attacks that result from credential theft becomes one of our main focuses. Adapting our approach helps us to protect our online applications from the array of phishing attacks that are likely being launched against them on a regular basis.
There are likely many approaches we can take to mitigating risk due to credential theft. Here are a few of them:
- Eliminate automation. Attackers build databases of stolen credentials that they amass from a variety of sources, phishing among them. Those stolen credentials are often tested in bulk using bots. The credentials that are valid are then often used to commit Account Takeover (ATO) and manual fraud. Eliminating these automated attacks not only mitigates this risk, but it also reduces infrastructure costs going to undesired non-human (bot) traffic.
- Stop ATO. Attackers that can leverage valid stolen credentials to log in to stolen accounts and masquerade as legitimate users can use that access to commit fraud. This manual fraud, of course, results in losses incurred by businesses that fall victim to these incidents. Detecting and mitigating Account Takeover (ATO) stops these fraud losses, saving businesses money.
- Reduce friction. Increased risk of fraud often results in businesses instituting more stringent authentication and Multi-Factor Authentication (MFA) requirements.
Unfortunately, this approach adds friction for legitimate customers without significantly reducing fraud losses. Attackers are resourceful, motivated, and adept at finding workarounds. If we can reliably identify automation and manual fraud, we can also reliably identify desired legitimate traffic. Once we know the traffic we want, we are less likely to inconvenience legitimate customers and can focus on stopping the attackers instead.
Phishing attacks are here to stay and will likely continue to increase in number. Fortunately, we have means to combat them. By zeroing in on the risk of credential theft, businesses can focus their efforts on reducing losses due to security and fraud incidents. While there is no way to mitigate all risk, taking steps to eliminate automation, stop ATOs and reduce friction can ensure that businesses keep a steady stream of revenue from legitimate customers while reducing losses from bots and fraud.